ProofClaw

Verification

ProofClaw badges and Trust Cards use Ed25519 signatures. This guide covers every way to verify them — and what to do when verification fails.

How verification works

Every Trust Card and badge contains an Ed25519 signature created by the ProofClaw notary. Verification confirms three things:

  1. 1.Signature validity — the signature matches the notary's public key and the Trust Card contents have not been tampered with.
  2. 2.Revocation status — the Trust Card has not been revoked by the publisher or the notary.
  3. 3.Content integrity — the agent ID, version, permissions, and shield score match what was declared at notarization time.

CLI verification

The CLI is the most complete verification method. It checks the signature, validates the trust chain, and queries for revocations.

# Verify a Trust Card
agentshield verify-trust-card --file trust_card.json \
  --trust-root trust/ --require-keyring

# Verify a badge SVG
agentshield verify-badge-file --file badge.svg \
  --trust-root trust/

# Verify an entire portal bundle
agentshield verify-portal --root artifacts/portal
The --require-keyring flag enforces that the notary key is present in the local trust root. Without it, the CLI will still verify the signature but won't check the key against a known set.

Web verifier

The web verifier provides a browser-based interface for quick checks. Enter an agent ID to look up its Trust Card, or paste raw Trust Card JSON for structural validation.

The web verifier checks the signature against the API and displays the trust summary: shield score, tier, permissions, and revocation status.

API verification

For programmatic verification — in CI/CD pipelines, platform middleware, or install hooks — call the trust endpoint directly.

GET /api/trust/{agentId}

# 200 — verified Trust Card (JSON)
# 404 — agent not found
# 410 — Trust Card revoked

The response includes the full Trust Card, signature, shield score, and current revocation status.

Offline verification

If you have the notary's public key, you can verify the Ed25519 signature on a badge or Trust Card without any network access. This confirms the signature is valid and the contents have not been tampered with.

Offline verification does not check revocation status. Always perform a revocation check via the API or CLI when possible.

Common failure modes

Invalid signature

The Trust Card or badge has been modified since it was signed. Re-obtain the original artifact from the publisher or registry.

Unknown notary key

The signing key is not in your local trust root. Update your trust root or add the --require-keyring flag to identify the gap.

Trust Card revoked

The publisher or notary has revoked this Trust Card. The agent may have a newer version with a valid Trust Card — check the registry.

Version mismatch

The Trust Card was issued for a different version than the agent you are running. Each version requires its own notarization.

Expired or stale

While Trust Cards do not expire by default, some policies enforce time-based revalidation. Check the shield policy for the agent.

Badges show provenance; they don't guarantee safety. Always review high-risk tools independently, even if the agent is verified.
Verification confirms the signature and revocation status — it does not sandbox or monitor the agent at runtime.
← Back to Docs